FRITZ!Box home broadband routers' security FRITZed

The FRITZ!Box range of home broadband routers, popular in Germany and Australia, needs patching against a variety of remote code execution bugs.

Germans RedTeam Pentesting turned up the bugs in model 3272, 7272, 3370/3390/3490, 7312/7412, 7320/7330 SL, 736x SL and 7490 devices. The vulnerabilities are present in all firmware versions prior to 6.30.

While first turned up in 2015, the white hats have only now explained the discovery in detail, here. They explain that the advisory was held back to give the vendor time to get its fixed firmware out the door.

While looking over the devices' outputs, they noticed that sending the right SOAP request to the interface returns the commands implemented in the dsl_control program (rather like asking for help on the command line).

Most of the commands the testers found could be accessed without authentication, and since the firmware is partly based on Open WRT, it's not hard to learn the commands' purpose.

Since FRITZ!Box devices combine broadband router and VoIP, the ability to execute unauthenticated arbitrary code means an attacker can place phone calls through the compromised device.

Attackers could also eavesdrop on traffic and install backdoors, RedTeam says.

All users of the vulnerable firmware should fetch an update from AVM, manufacturer of the FRITZ!Box, but since it's a home device, nearly nobody will ever hear about the fix, never mind implement it. ®

Updated to add

Since this story went live, it has emerged that the affected service is firewalled from the network side of the FRITZ!Box, which means an attack would have to start locally – within the home network or from a malicious script running on a webpage visited by a victim, for example.